Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can an anonymous proxy service capture my email password?


I some times use anonymous proxy server for browsing the web. Suppose I use
this to check my email can that proxy server capture my password?

Short answer: quite possibly.

Longer answer: quite possibly your password and much, much more.

It depends on the proxy server, how it works, and how you’re connecting to
the sites you’re attempting to access anonymously.

Become a Patron of Ask Leo! and go ad-free!

First, a quick refresher on how you connect to a web site and why an
anonymizing service is interesting.

Recall that when you connect to a web site your internet IP address is
provided to the server hosting the web site:

IP transmission to a web site being visited

And yes, that’s Ask Leo! in the example image because as you’re visiting
this site, your IP address is transmitted to the site. In fact, I think your IP
address is:

“… it really does all boil down to trust.”

As we’ll see in a moment, several things can affect that, but for most
of you that’s the internet IP address of your computer or your router if
your computer is behind one.

You can’t prevent an IP from being exposed to the computers and servers you
visit. It’s the fundamental nature of the internet. Communication of IP
addresses is required to make it all work.

But you can – sort of – control which IP gets communicated and how far.

Enter the anonymization service:

IP transmission to a web site being visited through a proxy service

Here you can see that you’re using an intermediary. Your IP address only
goes as far as the proxy service. They then turn around and make the web site
request on your behalf (hence “proxy”), exposing only their IP address
to the web site you’re visiting, not your IP address.

There are several such services, but they all share one thing in common:

You have to trust them.

Here’s the problem: every request you make, and every response you get is
routed through the proxy service’s servers.


That has two exceptionally important ramifications:

  1. The proxy knows your IP. If they maintain and retain access
    logs, it’s conceivable that those logs could be demanded by legal authorities
    to track activity. They’d know the IP address you were coming in from and the
    web sites that you were visiting through the proxy.

    I’d expect a “good” proxy not to keep those logs at all, but you never know.
    It’s a matter of trust.

  2. The proxy sees your data. Every request you make goes to
    the proxy where it’s interpreted so that the proxy knows what to do with it
    next. While it’s looking at it, your data could be there for the proxy to
    examine and do whatever else with. So yes, if that data contains your email
    account name and password in unencrypted text, you bet a malicious proxy could
    be collecting that information.

Fundamentally you’re implicitly trusting the proxy to be a good player – both
preserving your anonymity, and not peeking at your data.

But what about secure connections using https?

In general, a proxied connection over https is safe from data snooping. The
proxy still knows your IP, of course, so that responses can be sent back to
you, but the data is obscured by encryption.

There are issues to be aware of and be careful with:

  • Know what’s being encrypted. Quite often only the
    connection to the proxy server itself is encrypted. For example, if you’re
    connecting to then
    you’re establishing a secure connection only to the proxy server. This is
    common for services that provide secure internet access for open wifi hotspot
    users, for example, as it prevents all your data from being sniffed.

    It’s also not uncommon to configure a proxy service in your Internet Options
    in this same way. When this is done then the connection to the proxy server
    is secure even if you’re not specifying https on every website access.

    But the bottom line is that if the connection to the proxy server is secure,
    that still does not prevent the proxy from examining your data.

  • Make sure it’s proxying end-to-end https connections. So
    the solution keep your data secure even from the proxy itself is to use secure
    connections end to end. For example accessing establishes a secure encrypted
    connection between your computer and the service. Proxies or other types of
    data interception will not be able to decipher the contents of your

    The catch? Not all proxy services handle https. So if you make an https
    connection to your favorite site then you might be connecting directly, and thus
    exposing your IP address to the site, defeating any attempts to gain anonymous

  • There’s an obscure hack that could render https insecure through
    Particularly in a corporate or other institutional
    environment where you don’t actually control your own machine, replacement
    security certificates could be installed on your machine that could
    allow the proxy server to intercept secure communications to specific https
    sites. Your browser would connect securely, but would be tricked into
    connecting to the proxy thinking it was connecting to the remote site. The
    proxy could then decrypt and examine your data before re-encrypting it and
    sending it on to the site you’re accessing.

    The only way I know of to detect this is to examine the security
    certificates of the https connection at the time you make it, and make sure
    that the entire chain of certificate trust is as it should be. Yep, this can be
    obscure and/or difficult, particularly since we don’t always know what it
    “should be”. Comparing the certificates you see at work against what you see at
    home for the same connection might be a good indicator. The good news, if you
    want to call it that, is that this is also difficult to set up correctly in the
    first place, so I believe it’s quite rare.

As you can see, it really does all boil down to trust. Just like your ISP
for normal connections, you’re giving a proxy service a tremendous amount of
access just by using them. Your IP address might not be presented to the remote
site you’re connecting to, but just by the nature of the internet it must be
presented to the proxy. And in the worst case not only can a proxy log your
accesses, a malicious proxy could typically quite easily examine your data,
passwords and all.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

9 comments on “Can an anonymous proxy service capture my email password?”

    Hash: SHA1

    It depends on the proxy. Do you trust them?

    *Technically* proxies only make it much more difficult to track you, but not
    impossible. If the proxies are all keeping a log, then those logs could be
    examined together to trace down who’s doing what. Difficult and unlikely, but


    Version: GnuPG v1.4.7 (MingW32)


  2. The yahoo has unsaved security. When I visited another websites then I went back the to my email yahoo’s site was still there. Can someone know what I,m doing when he or she has my IP address and can they look in my yahoo email address and know all my privates and activities? Can they know my passwords when I lock in my email and ebay if they have my IP and know all the websites I just visited . ?

    Hash: SHA1

    I read every reasonable and on-topic comment. Your’s almost didn’t make the
    cut. :-).


    Version: GnuPG v1.4.7 (MingW32)


  4. If someone accessed my yahoo email account and deleted everything, is it possible to find the IP that accessed my email, and track that person down?

    Only if you can get the police to take an interest.


  5. Hello,

    Can you please tell me some proxy services that are trustworthy in your opinion? One that works on your computer (rather than in the browser) would be preferable. Thank you.


  6. A friend of mine is working in a company where there is a Squid proxy server logging and probably caching any web activity of all the clients. He is supposing the sys admin use this system to get his username and password of his gmail and hotmail account (regularly checked via webmail). It is possible to get user and pwd in that way? he is really worried if it is so!

  7. Hello, Fist I would like to say thank you very much you have answers my prayer. I am a blackberry user and I use my blackberry phone as a modem for internet on my laptop but my network only allows ‘http’ connections to go through their servers. So I then later on find out about these PROXY SERVERS and I decide to enable them on my computer to use the ‘https’ protocols they work fine not to mention access to my emails, facebook, paypal, amazon, shopping, and my Debit Card. And on the 19th September 2012 a charge was on my debit card I had no knowledge of $40 US. And I notified the bank about it…… And I had to had my card canceled to prevent it from happening again…… Now I have to change all my passwords and email accounts information……………. I would also like to promote this blog on internet security if you have the time to spare.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.